{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-52895", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-08-21T06:07:11.013Z", "datePublished": "2024-08-21T06:10:35.179Z", "dateUpdated": "2024-12-19T08:28:03.459Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T08:28:03.459Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/poll: don't reissue in case of poll race on multishot request\n\nA previous commit fixed a poll race that can occur, but it's only\napplicable for multishot requests. For a multishot request, we can safely\nignore a spurious wakeup, as we never leave the waitqueue to begin with.\n\nA blunt reissue of a multishot armed request can cause us to leak a\nbuffer, if they are ring provided. While this seems like a bug in itself,\nit's not really defined behavior to reissue a multishot request directly.\nIt's less efficient to do so as well, and not required to rearm anything\nlike it is for singleshot poll requests."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["io_uring/poll.c"], "versions": [{"version": "c06015ebc4367be38904b88582e13cc079672075", "lessThan": "36fc7317cdb16cfeae0f879916995037bb615ac4", "status": "affected", "versionType": "git"}, {"version": "6e5aedb9324aab1c14a23fae3d8eeb64a679c20e", "lessThan": "8caa03f10bf92cb8657408a6ece6a8a73f96ce13", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["io_uring/poll.c"], "versions": [{"version": "6.1.7", "lessThan": "6.1.8", "status": "affected", "versionType": "semver"}]}], "references": [{"url": "https://git.kernel.org/stable/c/36fc7317cdb16cfeae0f879916995037bb615ac4"}, {"url": "https://git.kernel.org/stable/c/8caa03f10bf92cb8657408a6ece6a8a73f96ce13"}], "title": "io_uring/poll: don't reissue in case of poll race on multishot request", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52895", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:03:46.864583Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T17:33:13.444Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52895", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:03:46.864583Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:18.025Z"}}], "cna": {"title": "io_uring/poll: don't reissue in case of poll race on multishot request", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "c06015ebc436", "lessThan": "36fc7317cdb1", "versionType": "git"}, {"status": "affected", "version": "6e5aedb9324a", "lessThan": "8caa03f10bf9", "versionType": "git"}], "programFiles": ["io_uring/poll.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.1.7", "lessThan": "6.1.8", "versionType": "custom"}], "programFiles": ["io_uring/poll.c"], "defaultStatus": "unaffected"}], "references": [{"url": "https://git.kernel.org/stable/c/36fc7317cdb16cfeae0f879916995037bb615ac4"}, {"url": "https://git.kernel.org/stable/c/8caa03f10bf92cb8657408a6ece6a8a73f96ce13"}], "x_generator": {"engine": "bippy-c9c4e1df01b2"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/poll: don't reissue in case of poll race on multishot request\n\nA previous commit fixed a poll race that can occur, but it's only\napplicable for multishot requests. For a multishot request, we can safely\nignore a spurious wakeup, as we never leave the waitqueue to begin with.\n\nA blunt reissue of a multishot armed request can cause us to leak a\nbuffer, if they are ring provided. While this seems like a bug in itself,\nit's not really defined behavior to reissue a multishot request directly.\nIt's less efficient to do so as well, and not required to rearm anything\nlike it is for singleshot poll requests."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-08-21T06:10:35.179Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52895", "state": "PUBLISHED", "dateUpdated": "2024-09-12T17:33:13.444Z", "dateReserved": "2024-08-21T06:07:11.013Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-08-21T06:10:35.179Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:6.1.7:*:*:*:*:*:*:*", "matchCriteriaId": "6E5E3E6D-B23E-4B23-9819-3DEB8963E4E3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/poll: don't reissue in case of poll race on multishot request\n\nA previous commit fixed a poll race that can occur, but it's only\napplicable for multishot requests. For a multishot request, we can safely\nignore a spurious wakeup, as we never leave the waitqueue to begin with.\n\nA blunt reissue of a multishot armed request can cause us to leak a\nbuffer, if they are ring provided. While this seems like a bug in itself,\nit's not really defined behavior to reissue a multishot request directly.\nIt's less efficient to do so as well, and not required to rearm anything\nlike it is for singleshot poll requests."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: io_uring/poll: no volver a emitir en caso de ejecuci\u00f3n de sondeo en solicitud de m\u00faltiples disparos. Una confirmaci\u00f3n anterior solucion\u00f3 una ejecuci\u00f3n de sondeo que puede ocurrir, pero solo se aplica a solicitudes de m\u00faltiples disparos. Para una solicitud de disparo m\u00faltiple, podemos ignorar con seguridad una activaci\u00f3n espuria, ya que, para empezar, nunca salimos de la cola de espera. Una reemisi\u00f3n contundente de una solicitud de armado de m\u00faltiples disparos puede hacer que perdamos un b\u00fafer, si se proporciona en anillo. Si bien esto parece un error en s\u00ed mismo, en realidad no es un comportamiento definido volver a emitir una solicitud multidisparo directamente. Tambi\u00e9n es menos eficiente hacerlo y no es necesario rearmar nada como lo es para solicitudes de sondeo de un solo disparo."}], "id": "CVE-2023-52895", "lastModified": "2024-09-11T16:31:31.597", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-08-21T07:15:06.007", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/36fc7317cdb16cfeae0f879916995037bb615ac4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8caa03f10bf92cb8657408a6ece6a8a73f96ce13"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: io_uring/poll: don't reissue in case of poll race on multishot request", "id": "2306423", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2306423"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-401", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nio_uring/poll: don't reissue in case of poll race on multishot request\nA previous commit fixed a poll race that can occur, but it's only\napplicable for multishot requests. For a multishot request, we can safely\nignore a spurious wakeup, as we never leave the waitqueue to begin with.\nA blunt reissue of a multishot armed request can cause us to leak a\nbuffer, if they are ring provided. While this seems like a bug in itself,\nit's not really defined behavior to reissue a multishot request directly.\nIt's less efficient to do so as well, and not required to rearm anything\nlike it is for singleshot poll requests."], "name": "CVE-2023-52895", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-08-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52895\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52895\nhttps://lore.kernel.org/linux-cve-announce/2024082111-CVE-2023-52895-5be2@gregkh/T"], "threat_severity": "Moderate"}